Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-28459

updated 6 days, 13 hours ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt dismissed 6 days, 13 hours ago

OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.

References

GitHub Security Advisory (GHSA-64qx-vpxx-mvqf) vendor-advisory
Patch Commit #1 patch
Patch Commit #2 patch
VulnCheck Advisory: OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path third-party-advisory

Affected products

OpenClaw

<2026.2.12

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable -
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Unaffected, never had 2026.2.12 or older.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers